In connection from a public network to a private network, IPsec technique has been standardized by IETF to establish a secure communication path. Supporting the IPsec technique is indispensable in IPv6. It is assumed that IPsec is applied to a mobile environment where a mobile wireless terminal apparatus is capable of moving between a public network and private network freely, and that the mobile wireless terminal apparatus connects to the private network from the public network. In this case, every time the mobile wireless terminal apparatus moves, an IP address usable in a moving-destination public network is assigned by DHCP (Dynamic Host Configuration Protocol) and the like. In other words, the IP address varies with the moving destination of the mobile wireless terminal apparatus.
For this reason, in a security gateway to which an IPsec tunnel that is set in the private network is established, since IP address of each moving destination is required to be known, it becomes difficult to implement an IPsec key exchange using an IP address of the mobile wireless terminal apparatus, and therefore, it is practically impossible to establish the IPsec tunnel by main mode. Accordingly, it becomes necessary to establish the IPsec tunnel by aggressive mode, and an IPsec user ID (ISAKAMPID Payload) is thus communicated between networks without being encrypted, resulting in degradation in security.
Further, it is indispensable in IPsec to support a pre-shared secret key scheme to authenticate each other in both parties that establish the IPsec tunnel. However, the security deteriorates is concerned due to continuous use of a single pre-shared secret key. Then, it is considered that the pre-shared secret key is changed at regular time intervals to maintain the security, however, it imposes heavy loads on both a user and administrator.
As a protocol to dynamically distribute a pre-shared secret key for use in authentication of IPsec, PIC (Pre-IKE Credential Provisioning Protocol) has been proposed in IETF (Internet Engineering Task Force) (see Non-patent Document 1).
PIC establishes a secure communication path between a mobile wireless terminal apparatus and authentication server using ISAKMP (Internet Security Association and Key Management Protocol) that is also used in IPsec, and exchanges authentication information required for authentication in PIC to authenticate. When the authentication succeeds, the authentication server issues to the mobile wireless terminal apparatus authentication information (for example, pre-shared secret key and public key certificate) called a credential for use in subsequent authentication of IPsec.    [Non-patent Document 1] “PIC, A Pre-IKE Credential Provisioning Protocol”, draft-ietf-ipsra-pic-06.txt, http://www.ietf.org/internet-drafts/draft-ietf-ipsra-pic-06.txt